/*
 * Copyright 2010-2016 ksyun.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://ksyun.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */
package com.ksc.auth.policy;

/**
 * A principal is an AWS account or AWS web serivce, which is being allowed or
 * denied access to a resource through an access control policy. The principal
 * is a property of the {@link Statement} object, not directly the
 * {@link Policy} object.
 * <p>
 * The principal is A in the statement
 * "A has permission to do B to C where D applies."
 * <p>
 * In an access control policy statement, you can set the principal to all
 * authenticated AWS users through the {@link Principal#AllUsers} member. This
 * is useful when you don't want to restrict access based on the identity of the
 * requester, but instead on other identifying characteristics such as the
 * requester's IP address.
 */
public class Principal {

	/**
	 * Principal instance that includes all users, including anonymous users.
	 * <p>
	 * This is useful when you don't want to restrict access based on the
	 * identity of the requester, but instead on other identifying
	 * characteristics such as the requester's IP address.
	 */
	public static final Principal AllUsers = new Principal("AWS", "*");

	/**
	 * Principal instance that includes all AWS web services.
	 */
	public static final Principal AllServices = new Principal("Service", "*");

	/**
	 * Principal instance that includes all the web identity providers.
	 */
	public static final Principal AllWebProviders = new Principal("Federated",
			"*");

	/**
	 * Principal instance that includes all the AWS accounts, AWS web services
	 * and web identity providers.
	 */
	public static final Principal All = new Principal("*", "*");

	private final String id;
	private final String provider;

	/**
	 * Constructs a new principal with the specified AWS web service which is
	 * being allowed or denied access to a resource through an access control
	 * policy.
	 * 
	 * @param service
	 *            An AWS service.
	 */
	public Principal(Services service) {
		if (service == null) {
			throw new IllegalArgumentException(
					"Null AWS service name specified");
		}
		id = service.getServiceId();
		provider = "Service";
	}

	/**
	 * Constructs a new principal with the specified AWS account ID. This method
	 * automatically strips hyphen characters found in the account Id.
	 * 
	 * @param accountId
	 *            An AWS account ID.
	 */
	public Principal(String accountId) {
		this("AWS", accountId);

		if (accountId == null) {
			throw new IllegalArgumentException("Null AWS account ID specified");
		}
	}

	/**
	 * Constructs a new principal with the specified id and provider. This
	 * method automatically strips hyphen characters found in the account ID if
	 * the provider is "AWS".
	 */
	public Principal(String provider, String id) {
		this(provider, id, provider.equals("AWS"));
	}

	/**
	 * Constructs a new principal with the specified id and provider. This
	 * method optionally strips hyphen characters found in the account Id.
	 */
	public Principal(String provider, String id, boolean stripHyphen) {
		this.provider = provider;
		this.id = stripHyphen ? id.replace("-", "") : id;
	}

	/**
	 * Constructs a new principal with the specified web identity provider.
	 * 
	 * @param webIdentityProvider
	 *            An web identity provider.
	 */
	public Principal(WebIdentityProviders webIdentityProvider) {
		if (webIdentityProvider == null) {
			throw new IllegalArgumentException(
					"Null web identity provider specified");
		}
		this.id = webIdentityProvider.getWebIdentityProvider();
		provider = "Federated";
	}

	/**
	 * Returns the provider for this principal, which indicates in what group of
	 * users this principal resides.
	 * 
	 * @return The provider for this principal.
	 */
	public String getProvider() {
		return provider;
	}

	/**
	 * Returns the unique ID for this principal.
	 * 
	 * @return The unique ID for this principal.
	 */
	public String getId() {
		return id;
	}

	/**
	 * The services who have the right to do the assume the role action. The
	 * AssumeRole action returns a set of temporary security credentials that
	 * you can use to access resources that are defined in the role's policy.
	 * The returned credentials consist of an Access Key ID, a Secret Access
	 * Key, and a security token.
	 */
	static public enum Services {
		AllServices("*");
		private String serviceId;

		/**
		 * The service which has the right to assume the role.
		 */
		private Services(String serviceId) {
			this.serviceId = serviceId;
		}

		public String getServiceId() {
			return serviceId;
		}

		/**
		 * Construct the Services object from a string representing the service
		 * id.
		 */
		public static Services fromString(String serviceId) {
			if (serviceId != null) {
				for (Services s : Services.values()) {
					if (s.getServiceId().equalsIgnoreCase(serviceId)) {
						return s;
					}
				}
			}

			return null;
		}

	}

	/**
	 * Web identity providers, such as Login with Amazon, Facebook, or Google.
	 */
	static public enum WebIdentityProviders {

		Facebook("graph.facebook.com"), Google("accounts.google.com"), Amazon(
				"www.amazon.com"), AllProviders("*");

		private String webIdentityProvider;

		/**
		 * The web identity provider which has the right to assume the role.
		 */
		private WebIdentityProviders(String webIdentityProvider) {
			this.webIdentityProvider = webIdentityProvider;
		}

		public String getWebIdentityProvider() {
			return webIdentityProvider;
		}

		/**
		 * Construct the Services object from a string representing web identity
		 * provider.
		 */
		public static WebIdentityProviders fromString(String webIdentityProvider) {
			if (webIdentityProvider != null) {
				for (WebIdentityProviders provider : WebIdentityProviders
						.values()) {
					if (provider.getWebIdentityProvider().equalsIgnoreCase(
							webIdentityProvider)) {
						return provider;
					}
				}
			}

			return null;
		}

	}

	@Override
	public int hashCode() {
		final int prime = 31;
		int hashCode = 1;

		hashCode = prime * hashCode + provider.hashCode();
		hashCode = prime * hashCode + id.hashCode();
		return hashCode;
	}

	@Override
	public boolean equals(Object principal) {
		if (this == principal) {
			return true;
		}

		if (principal == null) {
			return false;
		}

		if (principal instanceof Principal == false) {
			return false;
		}

		Principal other = (Principal) principal;

		if (this.getProvider().equals(other.getProvider())
				&& this.getId().equals(other.getId())) {
			return true;
		}

		return false;
	}

}
